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Patches & Updates of the Week: 


(U) Microsoft's Patch Tuesday updates led by rare print spooler bug 

(U) Microsoft's July Patch Tuesday offering indudes 11s ecurity updates withsix rated critical covering almost 50 individual bugs. MS16-084, MS16- 
085, MS16-086, MS16-087, MS16-088 and MS16-093 were all given a criticalrating by Microsoft with MS16-087 being specifically called out by 
several industry experts as particularly interesting. Thisbulletin contains CVE-2016-3238 and CVE-2016-3239, which if exploited could allow an 
attacker to executea man-in-the-middle attackona workstationorprint server allowing remote code execution. "One ofthe newappearances this 
month is Windows Print Spooler; we haven't seen a bulletin related to itin3 years. Luckily, many enterprises willalready have printers installed on 
their images, whichshould help to mitigate risk from this,"s aid Tyler Reguly, manager of Tripwire's Vulnerability and Expos ure Research Team, told 
SCMagazine.cominan email. Bobby Kuzma, CISSP, s ystems engineerat Core Security, agreed the risk of exposure from this particular vulnerability 
was low, butcited a different reason than Reguly. "It'sbeena while since we've seen remotecodeexecutionintheprint spooler of all places. It 
failsto validate printer drivers, so anattacker wouldneed to beina position to coerce users intoinstalling thedrivers, andthe users would need 
permissions to do so," Kuzma wroteinanemail to SCMagazine.com. However, Gtinter Ollmann, CSO of Vectra Networks, said inan emailed 
statement to SCMagazine.com, that this vulnerability makes printers a prime threat vector. "Thismakes printers oneofthe most powerful threat 
vectors ona network," Ollmann said. "Rather than infecting users individually, an attacker caneffectively turn one printer intoa watering hole that 
willinfect every Windows device that touches it." Amol Sarwate, director of engineering andhead of vulnerability research a t Qualys, pointed out 
M16-084, MS16-085 and MS16-088 as requiring immediate attention as all three willallowremote code executionand hepointed out that MS16- 
093 referredto dozens of vulnerabilities related to Adobe's Flash Player. Adobe todayissued fixes forthese problems "This update affects 
Windows, Mac, Linux and ChromeOS. As many vulnerabilitiesfixed bythe update allow attackers to take complete control of the victim machine 
we recommend applying the Flash and Reader update immediately," he wrote ina blog. Thefive bulletins rated as important by Microsoft contain 
vulnerabilities thatcanallowe levation of privilege, informationdisclosure, security feature bypass and remote code execution if exploited. 
(scmagazine.com, 12Jul16) 


(U) Serious flaw fixed in widely used WordPress plug-in 

(U) If you're runninga WordPress websiteand you have the hugelypopular All-in-One SEO Pack plug-ininstalled, it's a good idea to update it as 
soonas possible. The latest version released Fridayfixes a flawthat could b eused to hijack the site's admin account. The vulnerabilityisin the plug- 
in's Bot Blocker functionality andcan be exploited remotely by sending HTTP requests with specifically crafted headers to the website. The Bot 
Blocker feature is designed to detect andblockspam botsbased on their useragentand referrerheader values, according to security researcher 
David Vaartjes, who found andreported the issue. If the Track Blocked Bots settingis enabled -- it's not by default -- the plug-in will logallrequests 
that were blockedand will display themonan HTML page inside the site's admin panel. Because the plug-in fails to properly sanitize the requests 
beforedisplaying them, attackers can inject malicious JavaScript code inthe request headers, allowing the code to end up as part of the HTML 
page. This allows fora persistent cross-site s cripting (XSS) attack, where the roguecodewill be executed every time a user views the log page. 
Because that pageis intheadmin panel, that userwill likelybe the administrator, andthecodecan stealtheirsession tokens. These tokens are 
values storedinside the browser that allows a website to identifya loggedinuser. By placing these valuesintheirownbrowsers, attackers could 
accessthewebsite as an administrator without having to authenticate. The rogue code could also force the adminis trator's browser to perform an 
actionthat they haven't authorized. TheAll inOneSEO Packdeveloper, a company called Semper Fi Web Design, hasreleased version 2.3.7 Friday 
in orderto fix this vulnerability. Users are advised to upgrade to this version as soonas possible or to make sure they don't have the Track Blocked 
Bots setting enabled. (IDG News Service, 11Jul16) 


(U) SQLite vulnerability could expose sensitive data from Chrome, Firefox, and more 

(U) SQLite 3.13.0, released at the end of May, contained afixfora potentially dangerous vulnerability that could be usedto | eak sensitive data from 
SQLite temporary files. While SQLite is not the first name that comes to mind when you say "database," thisis one ofthose crucial projects that are 
usedallover the place in various desktop or Web-based products from companies likeAdobe, Google, Microsoft, Mozilla, but also many others. 
According to security researchers from KoreLogic, allSQLite versions prior to 3.13.0 contained an information disclosure issue that originated inthe 
way the database selected the directory where to store temporary files, used to save data that's intransit through the database. Researchers say 
that SQLite wouldcarryouta serieso f checks onthe app's desired! ocationto store temporaryfiles.|f these checks failed, SQLite would store 
temporaryfilesinthe"". path, whichwas the app's current folder. "[T]his [vulnerability] could! ead to insecure behavior bysome application using 
SQLite underthese conditions," KoreLogic said. Researchers explain that SQLite-basedapplications could write temporary files on NFSorSMB 
network shares, making data capture possible, oronremovable drives, which can be taken out ofthe user's physicalcontrol. These temporary files 
can, in theory, containsensitive data not meant to be shared outside the original application's scope. For example, Web traf fic for browsers or 
details about downloaded files for a BitTorrent client. Updatingalla pps usingolder SQLite databases should take a while. In the meantime, 
developers should review theircode based on KoreLogic's findings. (Softpedia, O7Jul16) 
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Threats & Vulnerabilities of the Week: 


(U) lrongate heralds new cyber threat to industry 

(U) The FireEye Labs Advanced Reverse Engineering (FLARE) team has identified a type of malware that can attack industrialcontrol systems (ICS), 
but hide itselffrom conventional antivirus software. The malware family, which FireEye has dubbed "Irongate," appears to target specificindustrial 
processes running under a Siemens control system and allows an outsideagent to step between the edge node PLC and the operator's HMI system 
and send falseinformation to both. While the analysis by FireEye and Siemens concludes that the currently-known versions of the malware would 
notworkin a standard Siemens system environment and pose noincreasedrisk to process operators, the code's characteristics seem to indicate an 
avenue ofattackon ICS is developing that mayneedcountering in the long term. According to a report from FireEye, the Iron gate code first 
appeared in 2014, but anti-virus s oftware did not immediately i dentify it as malicious. FLARE found severallrongate samples in the latter half of 
2015 while researching malware "droppers" and began analyzing its operation, issuing its reportlas t month. FireEye concluded that the code 
examplesit hasanalyzedare a test case, proofof concept, or research activity, not an actualattempt to compromise an|ICS, butrecommends that 
industrial systems consider taking steps to counterits attacktechniques. The! rongate malware appears to lookforandreplace DLLs in an ICS with 
a corrupted version. The malware thena cts as a man-in-the-middle between process!{O and operator software, capturing legitimate traffic and 
replaying it to the operator while sendingits own commands to the process. The malware also s ought to evade detectionand resist casual analysis 
byexiting early whenrunningina sandbox environment. The specificcodes amples analyzed targeted user-generated DLLs interacting with a 
systemsimulation, such as are used during development to test process control code, and did not threaten deployed systems. Still, | rongate 
possessed several characteristics unique in|!CS malware, and similar to characteristics of Stuxnet. These characteristics include beingtargeted to a 
single, specific process, replacing DLLs to achieve process manipulation, recording and playing back process data to hide its manipulation, and 
detecting anti-malware environments. (EE Times, 13Jul16) 


(U) CuteRansomware using Google Docs as a launch platform 

(U) Despite its benign nickname, a new strain of malware called cuteRansoware hasbeen uncovered that uses a Google Doc generated by the 
cybercriminal to host the decryption key and command-and-control functionality, according to a blogpost from Netskope. The specific case cited 
uses Google Docs, but Ravi Balupari, Netskope's director of engineering and cloud security research, told SCMagazine.com in an email on 
Wednesdaythatanycloud-based system could be substituted. CuteRansomware wasspotted inthe latterhalf of June. Balupari called it rather 
rudimentaryin designandpossiblyan early version, and believedit was most likelyauthored in China to target Chinese citizens. The ransomware 
so farhas onlybeen spotted using Google Docs, but Balupari said it is not limited to this cloud app. "This can happenin anycloud app and, in fact, 
we have seen other ransomware and general malware transferred via other cloud apps. For example, last week we reported on Cerber 
ransomware being transferred via Microsoft Office 365," hetoldSCMagazine.com. Using Google Docs specifically creates a host of issues froma 
cybersecurity standpoint. Netskope noted that Google docs uses HTTPS by default and the network data transmission over SSL can easily bypass 
normal security measures, suchasa firewall. 1n addition, since the victimized company uses Google Docs as part o fi ts productivity s oftware suite, it 
is almostimpossible to block malicious docs. "We believe this is critical," Netskope wrote. "As malicious actors make increasing use ofthe cloud for 
both delivering malware and exfiltrating data via command-and-control, traditional detection tools’ lack of visibility into SSLbecomes a huge 
benefit to them." Butthemosti nteresting aspect of the threat, the companybelieves, ishowthe Google Docis actually used during the attack. 
First the ransomwarecreatesa mutex with the name cuteRansomware, encrypts the files and then writes several text files stored under 
percentTEMP percent directory. A pop-up ransom note is then shown telling the userthe files havebeenencrypted. "Then comes the interesting 
part:The binary captures the computer name ofthe victim and uploads it and the RSA keyforencrypting/decrypting files to the malicious actor- 
controlled Google Docs form," Netskope wrote. Thismalware is being spread mostly through drive-by downloads, Balupari said. CuteRansomware's 
exis tence couldbea harbinger of things to come. Netskope researchers said hackers may turn to cloud services as anattackp latformto store keys 
and to be an integral part of their command-and-control system. (scmagazine.com, 13Jul16) 


(U) Sophisticated nation-state sponsored malware could shut down electric grid 

(U) SentinelOne researchers discovered what they believe to bea sophisticated nation-state sponsored malwarecampaign targeting atleast one 
Europeanelectric company. The researchers believe the malware originated inEastern Europeanda dropper tool is mostlikely being used to first 
gainaccessto targeted network users, and then to introduce a payload designed to extract data or potentiallyshut downane nergygrid, according 
toa 12 July blog post. The malware appears to be targeting fadlities that not only have software security in place, but physical securityas well and 
thatthe exploit a ffects all versions of Microsoft Windows andis known to exploit the CVE-2014-4113 and CVE-2015-1701 vulnerabilities, the post 
said. SentinelOnesaidit is unknown which attack vector is used bythe malware and itis possible that infection is spread via physical access or 
phishing emails. Researchers s aid the malwareis designed to bypasstraditionalantivirus s olutions, next-generation firewalls, and even more recent 
endpoints olutions that use sandboxing techniques to detect advanced malware. "The sample evasionand the technique this malware uses to 
remove theantivirus is not common-- it runs ata very early stage in the boot process, before the antivirus software is loaded," Sentinel One Chief 
SecurityOfficer Udi Shamir told SCMagazine via emailed comments. "Also, steps haveto be taken before thereboot to remove a ny antivirus that 
would berunning during this early boot time." The payloadusedintheattack wasa simple dataexfiltrator that can efficiently send data to an 
outside adversaryand hesaidthesample obtained by researchers most likely exploits old vulnerabilities in unpatched systems. Shamir noted that 
the infection doesn't s pread on its own and that thereis no concern forinfection bythis variant, however hesaiditis very possibleforattackers to 
use thistechnique outside of Europe. The energyindustry requires substantial investment to tiltthe playing field towards d efense, Tim Erlin, Senior 
Director of IT Securitya nd Risk Strategy at Tripwire told SCMagazine.comvia e mailed comments. "We've alreadyseenthattheindustrial systems 
controllingthe power gridcanbe vulnerable to cyber attacks,” he said. "It'sno surprise that governments are investing in an expanding arsenal of 
tools to leverage these weaknesses. Tripwire ChiefTechnology Officer Dwayne Melancon agreedand added that it pays to make a cyber cooks' 
lives more difficult. "Forexample, implementing multi-factor authentication to prevent access using onlya password is crucial," Melancon said. 
"Additionally, organizations should segment their networks to limitthe amount of sensitive information that canbe accessed bya single account". 
(scmagazine.com, 13Jul16) 
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(U) An online market that offered cheap hacked servers returns 

(U) Awebsitethat offered a ccessto hacked servers for as little as $6 is backonline. The market, called xDedic, went down 15 June, right after 
security firm Kaspersky Lab publicly exposed it. Accessto more than 70,000 compromised servers from governments, businesses and universities 
had been sold through the site, inthe two yearsitwasin operation. Kaspersky Lab, however, reported its finding to law enforcement agencies and 
said that "several major" internet s ervice providers helpeds hut the site down. Butaftera brief hiatus, the makers of xDedic have been quick to 
revive the marketplace, s ecurity firm Digital Shadows said on Tuesday. On 24 June, an anonymous user named xDedic was spotted sharing the 
site's newaddress ona Russian hacking forum, according to Digital Shadows. The new xDedic site wasfoundto be identical to the original one, 
althoughnone of the previous user accounts werecarriedover. The domain was alsosharedon aFrenchlanguage criminal website located on the 
dark web. It's stillunknownhow many users the revived xDedic site currently has, but the previous site attracted 30,000 users a month, Digital 
Shadows said. Once more hackers become aware ofthe site, it mayonlybea matter oftime beforeit becomes popular again, the security firm 
added. The new xDedicsite has opened user registration to all, but at the cost of paying $50. (IDG News Service, 13Jul16) 


(U) 92 percent of Internet-available ICS hosts have vulnerabilities 

(U) Kaspersky, the first major antivirus vendor to provide security s oftware specifically aimed at |CS/SCADA equi pment, has published a report 
today that details the sad state of security in the fieldof Industrial Control Systems (ICS). The company's experts say that, following an Internet- 
wide scan, they found 188,019 hosts connected to ICS equipment, in 170 countriesaround the globe. Of these, 92 percent, or 172,982, contained 
vulnerabilities thatcanbe exploited to attack, take over, oreven harmdevices and their normal mode of operation. While ICS hacking is notas 
widespreadasloT hacking, which has become a core component of DDoS botnets, malicious groups wouldfindnodifficulties in attacking critical 
infrastructure if they ever chose to. Cyber-attacks onICS systems, in general, are at an all-time high, according to a Booz Allen report released in 
June. According to Kaspersky, mosto fthe vulnerable devices are | ocatedinthe US (57,417), followedata long distance b yGermany (26,142), Spain 
(11,264), France (10,578), and Canada (5,413). Most of thesedevicesa re available to external connections via the HTTP protocol (116,900), Telnet 
(29,586), Niagara Fox (20,622), SNMP(16,752), or Modbux (16,233). A large numberof devicesarefrom vendors such as Tridium (24,446), Siera 
Wireless (17,908), Beck | PC (14,837), Digi International (12,367), and SMA(11,904). Thevulnerabilityencountered the most, by farin ICS/SCADA 
equipment wasSunny Web Box Hard-Coded Credentials (CVE-2015-3964), found in 11,904 devices. The vulnerable devices were found in almost all 
major critical industries: electricity, aerospace, transportation (including airports), oil and gas, metallurgy, chemical, agriculture, automotive, 
utilities, drinks and food manufacturing, construction, liquid storage tanks, and smart citytechnology. Internet-available and vulnerable devices 
were foundinboth the public andthe private sectors. Kaspersky experts saythat 17,042 1CS components on 13,698 different hosts likely belonged 
to very large organizations that had failed to properlysecure ICS devices. The high percentage of vulnerable equipmentthat security researchers 
discovered shows that companies are failing to update theircritical infrastructure indue time, | eaving exploitable holesth rough which malicious 
actors could carry out economics abotage. The large number of countries in which vulnerable ICS equipment was discovered s hows that attacks on 
critical network infrastructure a re possible against almost any state around the globe. For more in-depth and technical details, Kaspersky provides 
two reports, one detailing ICS availability statistics and one detailing ICS vulnerabilities. (Softpedia, 11Jul16) 


(U) Cerber developers create new ransomware called Alfa 

(U) The developers behind the Cerber ransomware released their latest creation upon the Interwebs, andit'sanew ransomware variant named 
Alfa, Bleeping Computer reported last week. Cerber is one of today's most active and widespread ransomware families, alongside Locky, CryptXXx, 
and Jigsaw. Security researchers did not crack its encryption, so it is quiteodd to see the group creating anew and different version without an 
apparent reason. Since Alfais new onthe scene, security researchers still don't know how this threat s preads, but they areaware that Al fais linked 
to Cerber's devs and thatit features a rock-solid encryption routine that currently can't be broken. The ransomware targets 142 different file types, 
and after the encryption process ends, it drops text and HTML-based ransom notes on the user's Desktop and other locations. The ransom note is 
improperly wordedandmay need some work. Also, the ransom note usesthe "Alpha" terminsteado fAlfa, whichis used only on the Tor-based 
website where users are toldtogoto decrypt theirfiles. The name Alfa ransomware willlikelybe usedin future versions because there was already 
an Alpharansomware that appeared at the start of May 2016, for whichsecurity researchers createda free decrypter. The Cerber devs would likely 
want to distance themselves from the term "Al pha ransomware" as muchas possible since they maynot want victims thinking the y can recover 
files after googling the ransomware's name. Alfa asks 1 Bitcoin (~$650) from each infected user. (Softpedia, 10Jul16) 


(U) Kovter malware masquerades as Firefox update 

(U) Kovter malware, packaged as a legitimate Firefox browser update, is beingdelivered to unsuspecting victims via drive-by-download attacks. 
Kovter, which alsooccasionallyinstallsother malware, hasbeenaroundfora few years now, and hasgone through many changes that keep ita 
current threat. "What makes this new variant particularly nasty is thatit's the later fileless version of Kovter, and it's now using an apparently 
legitimate certificate," Barklyresearchers have discovered. "That's bad news because a legitimate certificate causes plenty of traditional 
antivirus/endpoint s olutions to give the software a pass." As the company shared their insight with other AV vendors, many of themare now able 
todetectthis variant. Comodo, theCAthatsignedth ecertificate misused bythe malware, hasalso been notified and willhopefully soon -- if they 
haven't already -- revoke it. Users are advised always to be wary of random pop-ups telling them somes oftware needs an update. Most software 
bynow -- and popular browsers especially -- have in-software mechanisms for downloading and implementing updates. If, for whatever reason, 
theydon'twant to use it, updates should be picked up directly from the vendors' offidal websites or fromwell-reputed download sites. "Good user 
education can generallygo along way to reducing attacks, but as this particular attack demonstrates, even the best of us can be tricked into 
installing something that appears to be legitimate, or accidentally doing something we wish we could undo," the researchers n oted. 
(helpnetsecurity.com, 08Jul16) 
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(U) New "Patchwork" cyber-espionage group uses copy-pasted malware for its attacks 

(U) Since December 2015, a new cyber-espionage group has been launching attacks aimed at several governments and other related organizations 
workingonmilitaryand political assignments linked to issuess urrounding Southeast Asia and the South China Sea. This APT ( Advanced Persistent 
Threat) stands apart fromallother recent cyber-espionage groups because it doesn't seem to be using its own malware, like, forexample, the 
Pacifier APT.Instead, the grouphas been copy-pastingmalwares ourcecodefrom GitHub and hacking forums to create a "patchwork" of new 
threats, henceits name ofthe Patchwork APT. Securityfirm Cymmetria says thegroup has targeted andinfected at! east 2,500 machines in several 
countries since December 2015 alone, but there are clues that the groupmay have been activesince 2014. Fortheir attacks, the group has used 
spear-phishing emails that contained PowerPoint filesas attachments. Most of these emails used subject lines relating to China's activityin the 
South China Sea, but sometimes even pornography. The PowerPoint file contained the Sandworm exploit (CVE-2014-4114) that allowed crooks to 
infect the underlying operating system with theirmalware. Cymmetria says crooks used an assortment of copy-pasted code from known malware 
and malwarekits such as PowerSploit, Meterpreter, Autolt, and UACME. This malware jumble effectively created a backdoor trojan, which, in 
theory, should have beeneasyto pickup, since most antivirus vendors were wellawareo fthiscodeandits mode of operation. Unfortunately, the 
attacks went undiscovered until May 2016, when Cymmetria's s ecurity product was the first to catch them. As for attribution for these attacks, 
things aren't that clear. Cymmetria experts say: "Many ofthe primary targets of this campaign are regional neighbors of India, and other targets 
seemto be targeted (by their interests, occupation, and bythe content ofthespear phishing) to issues affecting India. Circumstantially, this 
targeting correlates with intelligence requirements necessary fora pro-Indian entity". Evidence includes the timesof day when the malware was 
editedand the times of daywhenthe C&C servers were active, while alsoindicating that all of India's neighbors were among the targets. India is 
not knownas a hotbed for cyber-espionage campaigns. The! ow technical ability displayed in the crafting of the malware, which uses publicly 
available code, may support theconclusion ofanIndian actor enteringthe APT stage. Nevertheless, the same experts saythat this evidence could 
be very well planted to make it look like it's an|Indianthreatactor behind thiscampaign. Untilfurther evidence surfaces, 100 percent attribution 
will have to wait. An in-depth analysis of the PatchworkAPT's activities, malware, spear-phishingtactics,and more is available via Cymmetria's 
Unveiling Patchwork the Copy-Paste APT report. (Softpedia, O7Jul16) 


(U) Over 6,000 Redis database servers ready for the taking 

(U) The total disregard for anysecurity features in the creation of the Redis database serverhas come around to haunt the project years after, as 
Risk Based Security(RBS) reports discovering 6,338 compromised R ediss ervers. Redisisa NoSQL database server that's ideal for storing datain the 
key-value format, using anin-memorys ystem for handling the dataandsubsequent queries. Accordingto s tatistics from DB-Engines, Redis ranked 
tenth interms ofusage and popularityin 2015. Because Rediswas created withperformance inmind,in a default configuration, the database 
doesn'tfeature anytype of authentication or other hardened s ecurity features. This means that anyonecan access its content just by knowingits IP 
and port. Evenworse is that, towards the end of2015, an exploit appeared that allowed a third-party to store anSSH keyin the authorized_keys 
file of anyRedis server that doesn't have an authentication system put in place. There are over 30,000 Redis database servers without any 
authentication available online. According to R BS researchers, 6,338 of these servers were compromised. Thecompanyreached this conclusion 
afterperforminga non-intrusive scanusing Shodan. Scanning ShodanforopenRedis servers that featured non-standard SSH keys, researchers 
found 5,892 instancesof SSHkeys tiedto the email address ryan@exploit.im. Theyalso found 385keys for root@chickenmelone.chicken.com and 
211 keys forroot@dedi10243.hostsailor.com. As for compromised Redis database versions, researchers found 106 different versions, ranging from 
the veryearly 1.2.0 versionup to the latest release, 3.2.1. "While we were unableto getanyoneto go ontherecord, itappears from our analysis 
that we have confirmationo f two things, the first being that thisis not a new issue,andsecond, some servers are sitting out there infected andare 
not beingutilized foranything malicious," RBS researchers explained. The security firm recommends that webmasters update th eir Redis databases 
to the mostrecent versionand activate "protected mode,'a security feature introduced in Redis with version 3.2. These 6,338 servers are still 
exposed today, meaning that new threat actors can easily re-compromise them. (Softpedia, 07Jul 16) 


(U) D-Link flaw affects 400,000 devices 

(U) The pre-authentication flaw, discovered by Senrio security researchers, wasinitially found in the D-Link DCS-930L, a wireless IP surveillance 
camerathatis controlled remotely. A web camera's code vulnerability discovered by researchers last month wasreused across the manufacture r's 
productlines, affectingmorethan120 products and 400,000 individual devices. The pre -authentication flaw, discovered by Senrio security 
researchers, was initiallyfound in the D-Link DCS-930L, a wireless IP surveillance camera that is controlled remotely. The stack overflow 
vulnerability allows for remote code executionof the device. The researchers discovered that the software component appeared across the 
company's product lines, although iti nitiallya ppeared thats ome of the products didnot utilize the software component in the default settings. 
However, this estimation unfortunately proved to be overoptimistic. D-Link conductedits own analysis of the company's network routers, loT 
devices,and home security devices and informed Senriothat more than 120 devices area ffected. "It constitutes a fairly siza ble portion of their 
productline," saidStephen A. Ridley, CTO and founder at Senrio. The Taiwan-based manufacturer has not yet released a patch forthe flaw. In 
January, Vectra Networks hacked D-Link's consumer-grade WiFi webcam and used the web camera to create a persistent access point into 
corporate networks. "While the thought of strangers watchingyour sleeping babyis disturbing, theimplications forenterprise and infrastructure 
environments are downright scary," the Senrioblog post noted inJune. Manufacturers often opt to reusefirmware code across products to create 
costsavings and cut development time. However, code reuse can make it easier for attackers to exploita small firmware component to launch 
attacks against multiple products. The problem is especially dangerous in medical device andi ndustrial control components, according to Ridley. 
"Code reuse is vulnerability reuse," he said. (scmagazine.com, O7Jul16) 
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(U) New malware targets Macs 

(U) After yesterday security researchers from Bitdefender discovered the Eleanor trojan targeting Macs and opening a backdoor using Tor, today 
it's ESET's turn to reveal the existence of a similar backdoor trojanthat alsouses a Tor2Web service to steal Keychain passwords. Named Keydnap 
and detected as OSX/Keydnap, this trojanis a newarrival onthe Mac malware scene, first seen this past May (internal version 1.3.1), and laterin 
June (version 1.3.5). The malware's mode of operationis verysimple, evenif the infectionchainisdrawn out in several steps. Everything starts 
when users receive an email that contains an archive. Unzippingthis file drops at first glance either animageora text file. Inreality, there's a space 
after the file's extension, meaning the file will run in the Mac terminal. This file is a Mach-Oexecutablethat uses a fakeicon. When executed, this 
file runs its malicious behavior and thenshows an image if it's trying to pose as a picture, ora text pad, if it's trying to pose as a text file. The 
malicious behavioris aseriesof operations ranin the console. The file first downloads another component, which is the actual Keydnap backdoor. 
It then executes the backdoor, which installs itself as LaunchAgent to get boot persistence, and then it downloads the image/text file it was posing 
as and shows that to theuser. Afterthis, the malicious behavior moves to Keydnap, which runs underthecurrent user, butalso tries to get root 
privilegesby askingthe user for their credentials using a popup. Keydnap then dumps the content ofthe Mac Keychainusingthe codeof a GitHub 
projectcalled Keychaindump and opens a linkto a Tor website employingthe onion.to Tor2Web proxy. The Keychain's content is sent to the C&C 
server via HTTPS. ESET has detected two C&C servers untilnowand says that, basedon the decoyimages the trojan shows to users in its early 
stages ofinfection, Keydnap might be after security researchers. The decoy images, in many Keydnap instances, are pictures o f botnet C&C control 
panels, something that onlyinfosec professionals wouldbeinterestedin. Besides stealing passwords from the infected Mac, Keydnap can also 
download and execute files from a remote URL, download and execute Python scripts, execute shell commands and report back results, and 
update the backdoor with a new version. (Softpedia, 06Jul16) 


077/F 606+ Researchers describe hardware-level backdoor in computer chips 

TOF FOH6} University of Michigan researchers have publisheda technical concept fora chip-level backdoor; according to a 4 June Softpedia report. 
Instead of working like a transistor, the backdoor would workas a capadtorand store energy with everynew command it receives. Malicious code 
can target thatarea ofthechip to start the capadtor’s loading processand, aftera certain threshold is reached, direct the system to switch into a 
privileged execution mode. Attackers could then run code on theinfected device with system-level privileges. When the attacker stops the 
malicious code, the capacitor loses all chargeand automatically closes itself. Accordingto the researchers, most chip designcompanies outsource 
chip fabrication to a third party—often overseas—and rely on post-fabrication testing to guard against malicious modifications. However, since 
attackers can crafta ttack triggers that require a sequence of unlikely events, even the most diligent tester can never detect all possible 
modifications. Nation states would onlyneed one ortwo strategically placed employees at a companyto guarantee accessto alldevices containing 
the malicious chip. To counter the threat, the researchers recommended specific new testing technologies for the affected companies. 
(news.softpedia.com, 04Jun16) 
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(U) HHS issues ransomware guidance 

(U) Hospital systems, medical practices and others that deal withsensitive healthi nformation are requiredto protect that information under health 
privacyl aw. Typicallyin the event of a cyber breach, health providers are required to notify patients that theirinformation has been potentially 
compromised. But ransomware attacks are different from other kinds 0 fbreaches, and the notification rules have not b een clear. The Office o fCiwil 
Rights atthe Department ofHealthand Human Services is attempting to clarify things withl ong-anticipated guidance released 11 July. HHS is 
telling providers that under the Health Insurance Portability and Accountability Act, responses to ransomware attacks s hould include processes to 
detect andcontain the impact of a ransomware attack, to recoverlostdata, revive operations andconduct post-incident analysis to determine 
whether anyoftheregulatorytriggers to report to patients have been tripped. Unless providers can demonstrate that there is "a low probability" 
that protected health information has beencompromised, theymust comply with HI PAArequirements to notify affectedindividual and the HHS 
secretary "without unreasonable delay”. Ininstances of breachesaffecting more than 500 individuals, the media must be notified as well. To 
demonstrate a low probability of compromise, a providercanidentify and mitigate the damage from the attack, byshowing a "robust" disaster 
recoveryplanthatincludes frequent data backups, andby showing that data hasnot beenstolenfromthe victimized system. The guidance also 
suggests that best wayto protect data onsuchsystems is to keepit encryptedintransit andatrest. The "unsecured protected healthinformation" 
guidelines under HIPAA do not apply to encrypted data. (fcw.com, 12Jul14) 


(U) White House accelerates cyber hiring 

(U) The federal government hired 3,000 cybersecurity and!T workers during the first six months of fiscal 2016, and hopes to make an additional 
3,500 new hires byJanuary 2017. The hiring spree is part of the Cybersecurity National Action Plan, a $19 billioneffort thatincludesthe proposed 
$3.1 billionIT modernization revolvingfund. While pieces of theeffort are stalled in Congress, the White House is pus hing ahead with the 
workforce piece ofthe strategy, according to a 12 July White House blog post. The governmentwide recruitment effort indudes the use of special 
pay authorities, the addition ofa cybersecurity cadre to the Presidential Management Fellows program and increased outreach to diversify the 
cybersecurity and IT workforce. Officials hope to improve recruitment and training and to identify workforce needs bydividing the cyber field into 
31 specialtyareas. Theplanalso includes a single program to orient new cyber workers to the government workforce, with an eye toward 
improving information sharing and career advancement opportunities. (fcw.com, 12Jul16) 
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(U) Increasing power grid cybersecurity 

(U) Cybersecurity experts Jamie Van Randwyk of Lawrence Livermore NationalLaboratory(LLNL) and Sean Peisert of Lawrence Berkeley National 
Laboratory (Berkeley Lab)areleadinga newprogram to developnew data analysis methods better to protect the nation’s power grid. The project, 
"Threat Detectionand Response with Data Analytics," is part of a $220 million, three-year Grid Modernization Initiative launched in January 2016 
bythe Department of Energy to support research and developmentin power grid modernization. LLNL says that the goal of this project is to 
developtechnologies and methodologies to protect the gridfrom advanced cyber and threats through the collection of data froma range of 
sources andthenusea dvanced analytics to identify threats andhowbestto respond to them. Specifically, the project team hopes to be able to 
distinguish between power grid failures caused bycyber attacks and failures caused by other means, including natural disasters, "normal" 
equipment failures, and even physical attacks. Ina dditionto LLNLand Berkeley Lab, DOE's Idaho, Oak Ridge, Pacific North west, and Sandia national 
laboratories are also partidpating in the project. To make the scientific results more realisticand more usable bythe powerindustry, the group is 
also partnering with the Electric Power Board and the National Rural Electric Cooperative Association, which will help provide data and collaborate 
in transferringthe technology to the poweri ndustry. The EnergyDepartment's Grid Modernization Initiative represents a comprehensive effort to 
hel pshape the future of our nation's gridand solve the challenges ofintegrating conventionaland renewable sources with energy storage and 
smart buildings, while ensuring that the grid is resilient and secure to withstand growing cybersecurity and climate challenges. 
(homelandsecuritynewswire.com, 12Jul16) 


(U) CryptoDrop gives users hope to prevent ransomware infections in the future 

(U) In the near future, there might be a simple way to stop ransomware infections froml ocking your files, if we are to believe a team of researchers 
from the University of Florida and Villanova University. This team presented the CryptoDrop project to the world at the recently concluded IEEE 
International Conference on Distributed Computing Systems that took place on 29 June in Nara, Japan. CryptoDrop is a computer application 
currently working only on Windows that keeps aneye ontheuser's filesystem for signs and operations specific to ransomware infections. This 
includes a surge inencryption operations, adropin available entropy (random data, used to power encryption operations), file type changes 
(ransomware changes file type extensions), anda few other more. WhenCrypto Drop makes a detection, it will stop the process and alert the user 
thats omethingsuspicious is happening. The application is not designed to work likean antivirus but alongside one. The researchers say that 
CryptoDrop willnot be able to detector stop ransomware before encrypting files, but after it already started, so using a powerful antivirus 
software is still recommended, in order to prevent andblock common ransomware threats from takingroot ona PC, to begin with. Thegoodnews 
is that, duringtesting ona computer with5,100 available files, Crypto Drop detected and stopped ransomware infections in its early stages. They 
tested theirsystem against 492 ransomware variants, gota 100 percent true positive rate, and ransomware families encrypted on average around 
ten files before being detected and stopped. The project is similar to what Sean Williams had built this winter via his Cryptostalker project, which 
worked ina similar way, but for Linux systems. Just like Cryptostalker, Crypto Drophas issues with false positives at the process level. More details 
can be found in the research paper presented at the IEEE conference, called CryptoLock (and DropIt): Stopping Ransomware Attacks on User Data. 
(Softpedia, 11Jul16) 


(U) Avast to acquire antivirus rival AVG 

(U) Although Avast and AVG both offer paidsecuritytools, they are best known for their freeantivirus software. Some people confuse the two 
firms because ofthe similarity of what theydo, and the fact their names begin withthe same letters, they were founded at aroundthesame time, 
and originated in the Czech Republic. But that confusion soon won't be an issue as today Avast announces it is set to acquire AVG. Avast is offering 
$25 pershare, about $1.3 billionintotal, forits rival andis awaiting AVG shareh older approval (Avast, unlike the publicand listed AVG, is itselfa 
private company). As to what this means for users of AVG and Avast productsit's hard to say for certain until the deal is finalized. (BetaNews, 
O7Jul 16) 
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